Web Service Client Attributes

The Web Service Client agent profile describes the configuration
that is used for securing outbound web service requests from a web
service client. The name of the web service client must be unique
across all agents.

General

The following General attributes define basic web service client
properties:

Group

The Group mechanism allows you to define a collection of similar
types of agents. The group must be defined before including the particular
agent into a collection.

Password

Defines the password for the web service client agent.

Password Confirm

Confirm the password.

Status

Defines whether the web service client agent will be active
or inactive in the system. By default, this attribute is set to active,
meaning that the agent will participate in securing outbound web service
requests from web service clients and will validate web service responses
from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web
service client agent.

Security

The following attributes define web service client security
attributes:

Security Mechanism

Defines the type of security credential that is used to secure
the web service client request. You can choose one of the following
security credential types:

STSSecurity — Uses the security token generated
from the Security Token service for a given web service provider.

UserNameToken — Uses User Name Token with digest
password.

UserNameToken-Plain — Uses a user name token
with a clear text password for securing web service requests.

X509Token — Uses the X509 certificate.

STS Configuration

This attribute is enabled when the web service client uses Security
Token service (STS) as the Security Mechanism. This configuration
describes a list of STS agent profiles that are used to communicate
with and secure the web service requests to the STS service.

Discovery Configuration

This attribute is enabled when the web service client is enabled
for Discovery Service security. This configuration describes a list
of Discovery Agent profiles that are used to secure requests made
to the Discovery service.

User Authentication Required

When enabled, this attribute defines that the services client's
protected page requires a user to be authenticated in order to gain
access.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security
headers are preserved by the web service client for further processing.

Use Pass Through Security Token

When enabled, this attribute indicates that the web service
client will pass through the received Security token from the Subject.
It will not try to create the token locally or from STS communication.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service
type that the web service client will use for service lookups.

Credential for User Token

The attribute represents the username/password shared secrets
that are used by the web service client to generate a Username security
token.

Signing and Encryption

The following attributes define signing and encryption configuration
for web service security:

Is Request Signed

When enabled, the web services client signs the request using
a given token type.

Is Request Header Encrypted

When enabled, the web services client security header will be
encrypted.

Is Request Encrypted

When enabled, the web services client request will be encrypted.

Is Response Signature Verified

When enabled, the web services response signature is verified.

Is Response Decrypted

When enabled, the web services response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service
signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service
response.

Encryption Strength

Sets the encryption strength used by he Security Token service
to encrypt the web service response. Select a greater value for greater
encryption strength.

Key Store

The following attributes configure the keystore to be used for
certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that
is used to encrypt the web service request or verify the signature
of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that
is used to sign the web service request or decrypt the web service
response.

Key Storage Usage

This configuration defines whether to use the default keystore,
or a custom keystore. The following values must be defined for a custom
key store:

Location of Key Store

Password of Key Store

Password of Key

End Points

The following attributes define web service endpoints:

Web Service Security Proxy End Point

This attribute defines a web service end point to which the
web service client is making a request. This end point is optional
unless it is configured as a web security proxy.

Web Service End Point

This attribute defines a web service end point to which the
web service client is making a request.

Kerberos Configuration

Kerberos is a security profile supported by the web services
security to secure web services communications between a web service
client and a web service provider. In a typical scenario, a user authenticates
to the desktop and invokes a web service and the web service client.
This requires a Kerberos ticket to secure the request to web service
provider by identifying his principal as Kerberos token. Typically,
Kerberos-based web services security is used in same the context of
Kerberos domain (realm) as opposed to across boundaries, for example
SAML-based web services security. However, Kerberos is one of the
strongest authentication mechanisms, especially in the Windows Domain
Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the
domain controller) hostname. You must enter the fully qualified domain
name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (KDC)
domain name. Depending up on your configuration, the domain name of
the domain controller may be different than the OpenSSO Enterprise
domain name.

Kerberos Service Principal

Specifies the web service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent
the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows
Kerberos server (domain controller) resides. It is possible that the
Kerberos server is different from the domain name of the OpenSSO Enterprise
instance.

Kerberos Ticket Cache Directory

Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory.
When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the
TGT is stored in the local cache, as defined in this attribute.